The Indian Data protection law, which was introduced a couple of months ago, created uncertainty in the outsourcing sector.
The new law looked like putting lots of extra work on suppliers providing BPO. A few lawyers I spoke to at the time said it was still quite unclear how the law would hit Indian outsourcers but it did seem clear that they would be hit in some way.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
But the latest is that BPO companies in India will actually be exempt from the rule and will rather have agreements with the companies they are working for. So no change then? Read the Times of India article about it here.
Nasscom, the industry body representing Indian suppliers said at the time that clarification would come.
The law, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, was introduced earlier this year. It is hoped that it would alleviate fears that data such as credit card details are at risk when handled by an Indian BPO, because no data protection law existed. But it looked like it was going to place a major burden on the Indian suppliers.
The new rule is section 43A of the Indian IT Act. According to the Times of India in May the rule states “that a corporate shall have to obtain permission through letter or fax or email from each client before collection of sensitive information. Thus, BPOs will have to inform the client regarding purpose of usage before collection of such information, if they go by the new IT rules 2011.”
This would create additional work and potential hurdles for Indian suppliers obtaining consent from the customers of their clients.
Kit Burden , Lawyer at DLP Piper said, at the time the law was being talked about, that there has been a lot of panic, mainly from the US.
He said after going through the legislation he interpreted it as meaning the consent only has to be given once. This would be given by the controller of the data, who would be the client of the service provider.
He welcomed the new legislation and he says if Europe accepts it as being as strict as its own it would negate the need to put workarounds in contracts.
He told me today that there was a storm in a teacup. “There is no way the Indian government would introduce anything that would jeopardise one of the success stories of its economy.”
Is this a cop out by the Indian government or was it always the plan?